From 1269a40f3fc805ec624a2feee5cfd8e8711db0d7 Mon Sep 17 00:00:00 2001
From: pmkuipers <pmkuipers@mail.miqra.nl>
Date: Sun, 24 May 2020 14:29:06 +0200
Subject: [PATCH] Replaced account password verification through  "sudo
 doveadm"  with password_verify() call

---
 app/DovecotPw.php                            | 29 +-------------------
 app/Http/Controllers/AccountPwController.php | 17 ++++++------
 2 files changed, 10 insertions(+), 36 deletions(-)

diff --git a/app/DovecotPw.php b/app/DovecotPw.php
index 3abbff2..d26c722 100644
--- a/app/DovecotPw.php
+++ b/app/DovecotPw.php
@@ -1,5 +1,6 @@
 <?php
 namespace App;
+use App\User;
 
 class DovecotPw
 {
@@ -27,32 +28,4 @@ class DovecotPw
         return $lines[0];
     }
 
-    public static function Validate($user, $password)
-    {
-        $fp = [];
-        $m = static::$method;
-        $r = static::$rounds;
-        $proc = proc_open(  "'sudo' '/usr/bin/doveadm' 'auth' 'test' '-x' 'service=imap' '{$user}'",
-                            [0 => ["pipe","r"], 1 => ["pipe", "w"], 2 => ["pipe", "w"]],
-                            $fp);
-
-        // write password
-        fwrite($fp[0],$password . "\n");
-
-        // retrieve hash
-        $s = fread($fp[1],512);
-
-        // and only return the parts before the first line end
-        $lines = preg_split("/\r\n|\n|\r/", $s);
-        if(preg_match('/(.*)auth succeeded$/',$lines[0]))
-        {
-           return true;
-        }
-        else 
-        {
-            return false;
-        }
-
-    }
-
 }
\ No newline at end of file
diff --git a/app/Http/Controllers/AccountPwController.php b/app/Http/Controllers/AccountPwController.php
index 09ad5e1..6319033 100644
--- a/app/Http/Controllers/AccountPwController.php
+++ b/app/Http/Controllers/AccountPwController.php
@@ -57,13 +57,6 @@ class AccountPwController extends Controller
                 'newpass' => ['required', 'string',],
             ]);
 
-            // now validate if proper password credentials were sent
-            $validCredentials = DovecotPw::Validate($validatedData['username'],$validatedData['pass']);
-            if(!$validCredentials)
-            {
-                throw new ErrorException("Username/Password do not match");
-            }
-        
             // split account into user and domain
             $dparts = explode('@',$validatedData['username'],2);
             $username = $dparts[0];
@@ -71,9 +64,17 @@ class AccountPwController extends Controller
 
             // retrieve proper account
             $account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){
-                throw new  ErrorException('Account not found');
+                throw new ErrorException("Username not recognized");
             });
 
+            // now validate if proper password credentials were sent
+            $hash = preg_replace("/^\{.*?\}/","",$account->password);
+            $validCredentials = password_verify($validatedData['pass'],$hash);
+            if(!$validCredentials)
+            {
+                throw new ErrorException("Username/Password combination not recognized");
+            }
+
             // Check if password meets policy and set if so
 
             if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) {